Description of problem:
When trying to log in to installed system, there is a delay in about 20 seconds after password is entered. After the delay, user is logged into system.
There are AVC denials in audit.log and this issue is not reproducible in permissive mode.
Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.11.1-32.fc18.noarch
systemd-194-1.fc18.s390x
How reproducible:
always
Steps to Reproduce:
1. install system and reboot
2. try to log into the system
Actual results:
about 20 seconds delay between entering password and logging into system, AVC denials
Expected results:
user is logged in without a delay, no AVC denials
Additional info:
Tested only on s390x.

Created attachment 640642[details]
audit.log file after the fix-up of systemd-logind makefile and login is not delayed
The audit.log file after the "avc" denial problem is fixed by properly compiling the systemd-logind binary. Note that the contents of the "Before_Fix_audit.log" are also included in this file.

Please refer to the attachments as given in the RH Bugzilla.
Due to this bug the usual login attempt takes in excess of 20 secs.
The Fedora-18 version is date 20121105, and downloaded from "http://s390.koji.fedoraproject.org/tree/test/20121105/s390x/os/"
Explanation (root-cause) of the issue:-
The offending line (in audit.log) is:-
type=AVC msg=audit(1352272376.592:8): avc: denied { execmod } for pid=604 comm="systemd-logind" path="/usr/lib/systemd/systemd-logind" dev="dm-2" ino=790 765 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:systemd_logind_exec_t:s0 tclass=file
In the above we see that there is an 'avc' denial. The systemd-logind daemon is invoked every time the login attempt is done (please refer to the '.log' files in the attachments). The systemd-logind steps are causing errors with SELinux, which does not find (part of) the systemd-logind binary as made 'relocatable' at build time. Hence the error. The repeated invocations of this daemon will cause the login to get delayed. A thorough description of how text relocation can cause the issue of "AVC Denial" is best explained at "http://www.akkadia.org/drepper/textrelocs.html". Please refer to the screen-dump below:-
[mockbuild@r3530040 systemd-195_DISSECTION]$ rpm -qf /usr/lib/systemd/systemd-logind
systemd-195-2.fc18.s390x
[mockbuild@r3530040 systemd-195_DISSECTION]$ eu-findtextrel /usr/lib/systemd/systemd-logind
either the file containing the function '_fini' or the file containing the function '' is not compiled with -fpic/-fPIC
[mockbuild@r3530040 systemd-195_DISSECTION]$ which eu-findtextrel
/usr/bin/eu-findtextrel
[mockbuild@r3530040 systemd-195_DISSECTION]$ rpm -qf /usr/bin/eu-findtextrel
elfutils-0.155-1.fc18.s390x
It is evident that (a part of) systemd-logind binary is not compiled with "-fPIC" flag. In order to further narrow-down on the problem the "systemd-195-2.fc18.src.rpm" was downloaded and built. This leaves (in the $HOME/rpmbuild/BUILD/systemd-195/.libs/ directory) an "Un-Stripped" version of the systemd-logind binary, and which shows the problem area in more detail:-
[mockbuild@r3530040 systemd-195_DISSECTION]$ eu-findtextrel ~/rpmbuild/BUILD/systemd-195/.libs/systemd-logind
either the file containing the function '__PRETTY_FUNCTION__.8524' or the file containing the function '__PRETTY_FUNCTION__.8532' is not compiled with -fpic/-fPIC. The following screen-dump shows the offending object code:-
[mockbuild@r3530040 systemd-195_DISSECTION]$ cd ~/rpmbuild;for oName in `find ./ -name '*.o' -print`; do nm -a $oName|grep PRETTY|grep 8532 && echo $oName; nm -a $oName|grep PRETTY|grep 8524 && echo $oName; done;cd -
0000000000000000 r __PRETTY_FUNCTION__.8532
0000000000000000 r .rodata.__PRETTY_FUNCTION__.8532
./BUILD/systemd-195/src/login/systemd_logind-logind-inhibit.o
0000000000000000 r __PRETTY_FUNCTION__.8524
0000000000000000 r .rodata.__PRETTY_FUNCTION__.8524
./BUILD/systemd-195/src/login/systemd_logind-logind-user.o
/home/mockbuild/systemd-195_DISSECTION
From above it is evident that above object files were not compiled with the "-fPIC" option, and the make-file is manually changed (note the -fPIC):-
[mockbuild@r3530040 systemd-195]$ diff ./Makefile Makefile.orig
7998,7999c7998
< #MANIKJ
< -fPIC -c -o src/login/systemd_logind-logind-inhibit.o `test -f 'src/login/logind-inhibit.c' || echo '/'`src/login/logind-inhibit.c
---
> -c -o src/login/systemd_logind-logind-inhibit.o `test -f 'src/login/logind-inhibit.c' || echo '/'`src/login/logind-inhibit.c
The resulting 'systemd-logind' binary is 'stripped' and is placed in "/usr/lib/systemd/systemd-logind" (overwriting the older one). The system is rebooted, and there is *NO* delay in login

This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '18'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 18's end of life.
Thank you for reporting this issue and we are sorry that we may not be
able to fix it before Fedora 18 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged change the 'version' to a later Fedora
version prior to Fedora 18's end of life.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.
Thank you for reporting this bug and we are sorry it could not be fixed.